The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added four security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.
The list of vulnerabilities is as follows –
- CVE-2024-45195 (CVSS score: 7.5/9.8) – A forced browsing vulnerability in Apache OFBiz that allows a remote attacker to obtain unauthorized access and execute arbitrary code on the server (Fixed in September 2024)
- CVE-2024-29059 (CVSS score: 7.5) – An information disclosure vulnerability in Microsoft .NET Framework that could expose the ObjRef URI and lead to remote code execution (Fixed in March 2024)
- CVE-2018-9276 (CVSS score: 7.2) – An operating system command injection vulnerability in Paessler PRTG Network Monitor that allows an attacker with administrative privileges to execute commands via the PRTG System Administrator web console (Fixed in April 2018)
- CVE-2018-19410 (CVSS score: 9.8) – A local file inclusion vulnerability in Paessler PRTG Network Monitor that allows a remote, unauthenticated attacker to create users with read-write privileges (Fixed in April 2018)
Although these shortcomings have since been addressed by the respective vendors, there are currently no public reports about how they may have been exploited in real-world attacks.
Federal Civilian Executive Branch (FCEB) agencies have been urged to apply the necessary fixes by February 25, 2025, to safeguard against active threats.
